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Compliance Challenges 


Continuing Expansion of 
Industry & Regulatory 


Mandates 

. : NEI2C 
Ensuring Coverage of e FISMA Gi aa ASEA NISTON 
Technical & Non-Technical "3 ^ Bem. 
Controls Peace ssi [fever 


Maintaining Visibility Across 
Silos 


Due Diligence Beyond 
Regulated Environment 
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Necessities to Support Digital 
Transformation: 


Complete Visibility across Business Units, Technologies, and 
Environments 


Simplified Processes, So they can focus on improving security 
rather than running products 


Flexibility options for capturing required compliance data 


Support for emerging technologies and capabilities 
(€) Qualys. 


Necessities to Support Digital 
Transformation: 


Tight integration across security technologies to support 
complex mandates and audit requirements 


Automation and process integration to support DevSecOps 


Comprehensive reporting against regulations, mandates & audit 
objectives 
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Use Case: 


FedRAMP/NIST Compliance via 
unified security program 


Customer: Cloud-based Infrastructure solution Provider 
Digital Transformation underway Fed RAM P 
FedRAMP certification driving compliance unification 
Leveraging NIST for control objectives company wide 


National Institute of 
Goals: NUST een 
Address FedRAMP compliance as a bi-product of good cybersecurity practices 
Consolidated cybersecurity dashboard based on the NIST objectives 


Requires: 
Security Vendor Consolidation 
Integrated Solutions 
Strong Regulatory Content 
End-End mandate reporting 
Breadth & Depth of Coverage 
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NIST Control NIST Control Objective 
CM Information System Component Inventory 
CM Inventory of Authorized and Unauthorized Software 
CM Secure Configuration for Hardware and Software 
RA-5 Continuous Vulnerability Assessment & Remediation 
AC, IA Controlled Used of Administrative Privileges 
AU Maintenance, Monitoring and Analysis of Audit Logs 
AC Email and Web Browser Protection 
SI-4 Malware Defense 
CM, SA Limitation and Control of Network Ports 
CP Data Recovery Capability 
CM, RA Secure Configurations for Network Devices 
Qualys Security Conference, 2018 November 19, 2018 
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NIST Control 


NIST Control Objective 


AC, SI Boundary Defense 
AU Maintenance, Monitoring, and Analysis of Audit Logs 
AC, IA Controlled Access Based on the Need to Know 
AC-17, AC-18 Wireless Access Control 
AC, IA Account Monitoring and Control 
AT Security Skills Assessment and Appropriate Training to Fill Gaps 
RA, CM Vendor Controls Assessment 
IR Incident Response and Management 
CA Penetration Tests and Red Team Exercises 
Qualys Security Conference, 2018 November 19, 2018 
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They started with critical 
requirements for Quick Wins... 


4. Continuous 
kinventory vour systems o Vulnerability Management 


= dido 4 anp o 5. Review Rights & Permissions 
Restrict Software 


: : 6. Definition, Automated Evaluatio 
3. Secure Configurations FIM 


& Review of Processes 
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Complete Visibility 


Assessment for Out-of-band Configurations 


Expanded UDC Support 
Agent Support for OS UDC's 
Database UDC 
Windows File Content 
Command UDC 


PC Dashboard 
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Assess ALL your assets against CIS 
With Qualys Security Configuration Assessment 


Security Configuration Assessment 


Lightweight add-on to VM 

Broad platform coverage 

Accurate controls & content 

Simple assessment workflow 

Scan remotely or via agent 

Powered by the Qualys Cloud Platform 


Support for NIST Reporting coming 
soon! 


NISTCSF SANS 
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Broad Technology & Control Coverage 
to support Emerging Technologies & Digital 


Transformation 
Network Devices 
Applications 
Operating Systems 


Emerging Technologies 


Containers 
Cloud Security 


Qualys Platform Security Report 
Security Gao Assessment 


cassandra 


ec» elastic 
88 kafka 
& redis 


Policy Compliance 


Database UDC 


Initial Support: MSSQL, 
Oracle, MongoDB 


Define DB Query (read 
only), Customizable by DB 
Version 


Set a query to return tabular 
data to evaluate (which can 
include evidence) 
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< Database UDC 


STEPS 1/3 


3 Technology 
e General Information . 


Select the technology and add the default control properies. 
|) Technologies 
I 


EP Scan Options " 
A Oracle 
LD References 


Default Control Properties 


tionale 
Accounts not logged in in last 90 days should be expired 


nediation 
In User Management application, set Automated Account Expiration should be set 
to 90 days 


SQL Statement 
SELECT UserID, UserName, Role, LastLogin, AccountEnabled from UserTable 
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Then, Configure Pass/Fail Criteria 


Define a Post-Filter, Then 
Evaulate based on: 


Empty Result Set 
Row Count Threshold 


Always Pass/Fail (for 
data gathering) 
Match Column 
Criteria 


Define Pass/Fail Criterias 
Technology 


Simplifying Processes 
Expanded Library Content 


Instance Discovery & Controls 


Migration to New UI - Up First: 
PC Dashboard 
Policy & Control Library 
Reporting 


Mandate-based Policy Configurator 


Leverage Asset Inventory for Asset Lifecycle 
Management 
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Mandate Policy Configurator 


More Granular, Customizable 
Control Objectives 


Custom & Library Mandates — unn 


Queued CM - Configuration Management 


Queued IR - Incident Response 


Generate Policies from Mandate A — 


Mandate-specific Reports iere 


Gap Analysis Reports 
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€— Create New: NIST 800-53 Template 


STEPS 1/3 


ania iniecaroanion Basic Information 


Name and select the mandate for this template. 
Security Control Families 


Configure Policy TITLE: 


MANDATE: 
NIST Special Publication 800-53 v 


Security Controls and Assessment Procedures for Federal Information 
Systems and Organizations 


DESCRIPTION: 
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€— Create New: NIST 800-53 Template 


STEPS 2/3 
OFTEN Security Control Families 
Select all or just the security controls families you want to configure in this template. 
Security Control Families 
Configure Policy 


CONTROL FAMILIES: 
@ Select Families ^ ^ Minimum Security Controls 


BUILD LIST OF CONTROL FAMILIES: 
Q Search v 


There are no security control families selected, yet. 


Here is where you'll see the control families for this template 


Cancel | [T Previous 
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< Create New: NIST 800-53 Template 


STEPS 2/3 


Security Control Families 
Select all or just the security controls families you want to configure in this template. 


Basic Information 
Security Control Families 


cae Fo CONTROL FAMILIES: 


@ Select Families <> Minimum Security Controls 
BUILD LIST OF CONTROL FAMILIES: 
Q Search v 
Select all (14 families) 
C] AC- Access Control 
C] AU - Audit and Accountability 
L] AT-Awareness and Training 
C] CM- Configuration Management 
[] CP- Contingency 


C] 1A- Identification and Authentication 


Cancel || Previous 


© Qualys. Enterprise 


< Create New: NIST 800-53 Template 


STEPS 2/3 


Security Control Families 
Select all or just the security controls families you want to configure in this template. 


Basic Information 
Security Control Families 


Configure Polic 
9 Y CONTROL FAMILIES: 


@ Select Families < > Minimum Security Controls 


BUILD LIST OF CONTROL FAMILIES: 
Q Search v 


10 CONTROL FAMILIES Remove al 


AC - Access Control 

AU - Audit and Accountability 
AT - Awareness and Training 
CM - Configuration Management 


CP - Contingency 


60600000 


IA - Identification and Authentication 
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€— Create New: NIST 800-53 Template 


STEPS 2/3 
E PRENA Configure Policy 
Index the proper control objectives to their controls and values. Click on the control 
Security Control Families family to enter the Control editor and find the controls you want to edit 
Configure Policy 
STATUS CONTROL FAMILIES 


Drafted” AC - Access Control 


Queued AU - Audit and Accountability 
Queued AT - Awareness and Training 

Queued CM - Configuration Management 
Queued CP - Contingency 

Queued IA - Identification and a us 
Queued IR - Incident Response 

Queued MA - Maintenance 

Queued MP - Media Protection 

Queued PS - Personnel Security 

Queued PE - Physical and Environmental Protection 
Queued PL - Planning 


Queued PM - Program Management 


Queued RA - Risk Assessment 
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Objective: IA - Identification and Authentification | Cancel | | Doe | 


Search Options w 


Q Search... 


Total Control Objectives g o X oU 


NAME PRIORITY SECTIONS CONTROLS 
^ |A-5  Authenticator Management P1 15 384 
MINIMUM SECURITY CONTROLS The organization manages information system authenticators by: | mmu E 


High 3.01K a. Verifying, as part of the initial authenticator distribution, the identity of the individual, 
Moderate 982 group, role, or device receiving the authenticator; 
Low 89 
1A-5(1) Authenticator Management | Password-Based Authentication 
PRIORITY (1) gement | n 6 242 
PO - Priority Level 0 3.01K 1A-5(2) Authenticator Management | PKI-Based Authentication 4 48 
P1 - Priority Level 1 982 
P2 - Priority Level 2 89 z : r id= i ; 
P3 - Priority Level 3 s IA-5(3) Authenticator Management | In-Person or Trusted Third=Party Registration 1 
1A-5(4) Authenticator Management | Automated Support for Password Strength Determination 
Windows 2012 Server 25 1A-5(5) Authenticator Management | Change Authenticators Prior to Delivery 1 
Windows Server 2012 R2 16 
———— a 1A-5(6) Authenticator Management | Protection of Authenticators 8 
Docker 1.x 23 
A 15 
às peii i 1A-5(7) Authenticator Management | No Embedded Unencrypted Static Authenticators 4 
Vv 
1A-5(8) Authenticator Management | Multiple Information System Accounts 0 
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Objective: IA - Identification and Authentification | Cancel | | Doe | 


Search Options w 


Q, Search... 


Total Control Objectives E] o X oU 


NAME PRIORITY SECTIONS CONTROLS 
| ^ IA-5  Authenticator Management P1 15 384 
MINIMUM SECURITY CONTROLS The organization manages information system authenticators by: | um EN 


High 3.01K a. Verifying, as part of the initial authenticator distribution, the identity of the individual, 
Moderate 982 group, role, or device receiving the authenticator, ... 
Low 89 
PRIORITY ‘=| IA-5(1) Authenticator Management | Password-Based Authentication 6 242 
PO - Priority Level 0 3.01K The information system, for password-based authentication: 
P1 - Priority Level 1 982 
P2 - Priority Level 2 89 [V] IA-5 (1)(a) 3 6 
P3 - Priority Level 3 89 Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, 
mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type]; 
TECHNOLOGY 
Windows 2012 Server 25 IA-5 (1)(b) 11 
Windows Server 2012 R2 16 Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined 
Debian GNU/Linux 9.x 5 number] 
Docker 1.x 23 
F5 BIG-IP 11.x 15 IA-5 (1)(c) 27 
Y 10more Stores and transmits only cryptographically-protected passwords; 


IA-5 (1)(d) 63 


Enfarnac nacewnrd minimum and mavimiim lifatima ractrintinne af [Accinnmant: arnanizatinn_dafinad mimhare far lifatima minimiim 
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<— Controls: NIST 800-53 for Windows 


36 


Controls 


IMPACT BASELINE 


HIGH 3.01K 
MODERATE 982 
LOW 89 
TYPE 

ANSSI 3.01K 
Qualys 982 
CIS 89 
DISA 89 
TECHNOLOGY 

Windows 2012 Server 25 
Windows Server 2012 R2 16 
Debian GNU/Linux 9.x 5 
Docker 1.x 23 
F5 BIG-IP 11.x 15 
y 10 more 


EIL EN 


CID 


3376 


10734 


10965 


11468 


11524 


10911 


STATEMENT / TECHNOLOGIES 


Status of the 'Maximum Password Age' setting (expiration) 
Windows 2012 Server, Windows Server 2012 R2, Solaris 11.x 


Status of the 'number of days before a [Prompt user] password expiration warning 
prompt is displayed at login' for 'users with a password' setting 
Ubuntu 11.x, Windows 2000 Active Directory, Docker 1.x 


Status of first module for 'password' stack, in file '/etc/ 
Windows 2012 Server, Windows Server 2012 R2, Solaris 11.x 


Status of the 'try first pass' setting for pam, cracklib.so module in PAM configuration 
file '/etc/pam.d/common-password' 
Docker 1.x, Windows 2012 Server 


Status of 'fail interval' setting in the file '/etc/pam.d/password-auth' 
Windows 2012 Server 


Status of 'turn off certificate revocation list (CRL) checking at the Key Distribution 
Windows 2012 Server, Windows Server 2012 R2 


(CIS 


(CIS 


‘cis 


jATEGORY 


lA-5 (1)(a) 


IA-5 (1)(a) 


IA-5 (1)(a) 


IA-5 (1)(a) 


IA-5 (1)(a) 


IA-5 (1)(a) 


Search Options w 


o + XS 
BASELINE 
ELLEN 
MODERATE. 
ELCH 
ELCH 
n OH 
ELCH 
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€ Control: Status of first module for 'password' stack, in file '/etc/pam.d/password-auth' 


ABOUT CONTROL 
Control Values by Technologies (3) 


Status of first module for 'password' 
(as stack, in file '/etc/pam.d/password-auth' 


[] Technology: All £3 v Last modified: Apr 12, 2017 


Identification 
$$ Windows 10 
The "Windows Firewall: Apply local connection security rules (Domain)' setting enables domain-based Statement: Status of first module for ‘password! 
connection rules that govern IPSec connections. As this setting enables or restricts local administrative stack, in file /etc/pam.d/password-auth 
users from creating such local connection rules, in addition to the connection security rules in Group 
Policies, which will increase the exposure of the system to remote attacks, this should be configured CID: 10965 
according to the needs of the business. ! 
Baseline: ELLEN 
This Integer value X indicates the current status of the setting Windows Firewall: Domain: Apply local connection Reference: 17.15.21 
, ino iba redi h 

security rules using the registry key pat SEE ^ Ade 

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\AllowLocallPsecPolicyMer 

ge. A value of 0 indicates the setting is set to No, A value of 1 indicates the setting is set to Yes. Technologies: 18 Windows 2012 Server 

af Windows 10 
No (0) ws Solaris 11.x 
v| Yes (1) 
Key not found 
Activity 

£8 Windows 10 Last User Login: X AKCtech 
The "Windows Firewall: Public: Logging: Name" setting is used to specify the path and name of the file in Sree on: March 1, 2017 10:33 AM 


which Windows Firewall will write its log information. If events are not recorded it may be difficult or 
impossible to determine the root cause of system problems or the unauthorized activities of malicious Last Modified on: 


8 Mins ago 8:32 AM 
users. It should be used according to the needs of the business. 


Integration Across the Platform: 
Unified Compliance Assessment 


@ Qualys, Enterprise 
Compliance Assessment 


Out of the box Library of Metrics 
SAQ Self-Assessments 
Vendor Risk Violations 
VM & PC Remediation SLA Failures 


Customizable! Map back to Control 
Objectives & Custom Mandates 


Result: Single Pane of Glass for 
Reporting Metrics & Compliance 
Violation Tracking across the platform! 


Defining Metrics & Mappings 


Leverages new Alerting 
feature as exposed in apps 


Define ANY QQL Query 


Action is Log a Compliance 
Metric 


Metrics are then mapped to 
Control Objectives, which are 
cross-mapped to regulations 


Rule Details 


Something about what the user 


Rule Information 


Something about what the user 


Alert Query 


Something about what the 


Sample Queries 


Trigger Criteria 


€— Create New: Rule 


will need to know about the fields below. 


will need to know about the fields below. 


user will need to know about the fields below. 


Test Query 


vulnerabilities. vulnerability.severity: 5° and vulnerabilities. vulnerability.patchAvailable:"true” and vulnerabilities.firstFound > now-90d 
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Security Metric 
Examples — 


Vulnerability Management DASHBOARD SEARCH SCANS REPORTS ASSETS KNOWLEDGEBASE USER g-frame-standard (123) 


Reports 


High Severity Vulnerabilities/ 


Patching 942 


Metrics Actions 


FIM Incident Review Expired 


Vulnerability Management - Vulnerabilities with RA-5 371248 HPE intelligent Management Center (iMC) EIEEE 120 
SEVERITY CVSS rating 7 or more Multiple Vulnerabilities (HPESBHFO37... 
. : Severity 5 471 
C | O u d S e c u r | ty C O N fi g9 u ra t | O n STENA E Vulnerability Management - Java Vulnerabilities ^ RA-5 371090 Java Debug Wire Protocol Remote Code nemn 132 
Logd 76 Execution Vulnerability 
Issues Severity 2 44 
Severity 1 32 
Vulnerability Management - Java Vulnerabilities — RA-5 371265 Oracle Java SE Critical Patch Update - munnum 508 
October 2018 
E x ©) | re d O r S e | f- 5 | 9g n e d Vulnerability Management - End of Life RA-5 370573 . EOL/Obsolete Software: Apache Struts 1 LI EI 70 
C e rt j fi C a t e S technologies Detected 
Vulnerability Management - End of Life RA-5 105759 EOL/Obsolete Software: Microsoft Visual IBI 76 
d : k F . | R d technologies Studio 2008 Detected 
V e O S a u e t p Vulnerability Management - End of Life RA-5 105757 EOL/Obsolete Software: pfSense Version LLL 44 
technologies 2.2.x Detected 


P ro C e d u ra | C O N t ro | G a ©) Vulnerability Management - End of Life RA-5 105753 EOL/Obsolete Operating System: Microsoft Mmmm 350 
E. technologies Windows 10 Version 1607 Detected 
Identified 


Vulnerability Management - Java Vulnerabilities RA-5 22002 Oracle Database Server Java VM Remote Licio 55 
Code Execution Vulnerability 


Vulnerability Management - Java Vulnerabilities RA-5 371035 Apache Cassandra Arbitrary Java Code BEES 20 
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Policy Compliance 


QUALYS SECURITY CONFERENCE 2018 
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agrity Monitoring 


ind track file changes across global IT 


Validating Integrity 


Why do organizations need File 
Integrity Monitoring solutions? 


Change control enforcement 
Compliance & audit requirements 
Explicit mandates like PCI 
Security best practices 
Compromise detection 


Use Case: 


File Integrity Monitoring for PCI 


Customer: Retail 


Distributed network environment that benefits from cloud-based model 
20k+ Windows systems 


Large Linux back end infrastructure on-prem and in the cloud 


Goals: 


Monitor for change control enforcement 
PCI auditor requirements 


Requires: 
Scalable, cloud-based solution 
Hands-off management of distributed agents 
VM+PC+FIM at the Point of Sale 
Broad Linux platform support 
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What Are Customers Monitoring? 


Critical Operating System Binaries 


T —ÓÁ—— pain apum i 
OS and Application Configuration Files 

— 73. 
Content, such as Web source E 
Permissions (such as on Database Stores) - = 
Security Data (Logs, Folder Audit — m = em 
Settings) e Ma 


User & Authentication Configurations 
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FIM Challenges 


Deciding what depth to monitor 
Tuning out noise, but not missing important events 
Scalability of legacy solutions 


Meeting auditor event review requirements 
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Improvements since GA 


Event Review & Incident Management Workflow 
Library Content Improvements 

AuditD Compatible Windows Agent (2.1.x) 

Windows Feature Expansion & Updated Driver (2.1.x) 


Several back-end releases for operational improvements & 
feature support 
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Focus for 2019 


Simplest tuning in the industry! 


Secondary Event Filtering and Automated 
Correlation 


API access to data 

Rule-based Alerting 

Reporting 

Expanded data collection & whitelisting 
features 

Expanded Platform Support 
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ix) 


Policy Compliance 


FIM Feature Roadmap 


Q4 2018 Q1 n Q3 2019 
1.9 l . 2.5 
Agent Health UI Improvements Incident o odas ei Workflow Show File Text Change Details 
Tune from Event View TN d cre Windows Registry Change Detection 
Initial Reporting - Change Incident Report itori i E 
| "Monter nc Bons Editor Phase i f FIM Mgmt API features Monitoring Prone Import/Export 
E Streaming Event AP 


External Change Control Integration 


Late Q4 2018/Early Q1 2019 Q2 2019 
1.10 2.2 
Incident List API Process Whitelisting 
Incident-Event List API Dashboard Expansion & 
Event Query API AssetView Integration 


Management Queries API 


2.0 
Automated Incident Correlation 
Expand Reporting 
Basic Notification 
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Thank You 


Tim White 
twhite@qualys.com 


